Autopentest AI

v1.0.0Securitystable

Agentic Pentesting MCP server that discovers, exploits, and reports web application vulnerabilities.

autopentest-aimcpai-integration
Share:
144
Stars
0
Downloads
0
Weekly
0/5

What is Autopentest AI?

Autopentest AI is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to agentic pentesting mcp server that discovers, exploits, and reports web application vulnerabilities.

Agentic Pentesting MCP server that discovers, exploits, and reports web application vulnerabilities.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • Agentic Pentesting MCP server that discovers, exploits, and

Use Cases

Agentic Pentesting MCP server that discovers, exploits, and reports web applicat
bhavsec

Maintainer

LicenseApache-2.0
Languagepython
Versionv1.0.0
UpdatedMay 20, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx autopentest-ai

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Autopentest AI

Autopentest AI is an agentic penetration testing MCP server that systematically discovers, exploits, and reports web application vulnerabilities following the OWASP Web Security Testing Guide (WSTG). It orchestrates specialised subagents — Scout, Analyzer, Exploiter, and Reporter — across 7 structured phases, exposing over 68 MCP tools that wrap industry-standard security tools including katana, ffuf, sqlmap, dalfox, nuclei, nmap, hydra, and testssl.sh. The server enforces an anti-hallucination framework where every finding must be backed by a real exploit, making it suitable for professional web application security assessments on authorised targets.

Prerequisites

  • Docker installed and running (the tool container runs all security tools in isolation)
  • Python 3.10 or later and uv package manager for the MCP server
  • Make (build tool) available on your system
  • An MCP-compatible client such as Claude Desktop
  • Written authorisation to test the target web application — running against systems you do not own is illegal
1

Clone the repository

Clone the autopentest-ai repository to your local machine — the MCP server and Docker tool container are both managed from here.

git clone https://github.com/bhavsec/autopentest-ai.git
cd autopentest-ai
2

Install the MCP server Python dependencies

Use uv to sync the server dependencies in isolation. The server/ directory contains the MCP entrypoint (server.py).

cd server && uv sync && cd ..
3

Build the Docker image and install security tools

Run make setup to build the Docker image containing all 10+ security tools (katana, ffuf, sqlmap, nuclei, nmap, etc.) used during the pentest.

make setup
4

Verify all tools are installed

Run make verify-tools to confirm every required tool is present and executable inside the Docker container before starting a test.

make verify-tools
5

Create a target configuration file

Copy the example YAML config and fill in your authorised target details including URL, scope, and any authentication credentials needed.

# configs/my-target.yaml
target:
  url: https://authorised-target.example.com
  scope:
    - authorised-target.example.com
  exclude:
    - logout
Authentication:
  login_type: form
  credentials:
    username: testuser
    password: testpass
reporting:
  tester_name: Your Name
6

Configure your MCP client

Add both the autopentest-ai MCP server and the Playwright MCP server (used for browser-based discovery) to your .mcp.json config.

{
  "mcpServers": {
    "wstg-pentest": {
      "command": "uv",
      "args": ["--directory", "./server", "run", "server.py"]
    },
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  }
}

Autopentest AI Examples

Client configuration

.mcp.json configuration for Autopentest AI with the required companion Playwright MCP server for browser-based testing.

{
  "mcpServers": {
    "wstg-pentest": {
      "command": "uv",
      "args": ["--directory", "/path/to/autopentest-ai/server", "run", "server.py"]
    },
    "playwright": {
      "command": "npx",
      "args": ["-y", "@playwright/mcp"]
    }
  }
}

Prompts to try

Example prompts that drive the full WSTG assessment workflow, targeted tests, and resuming interrupted engagements.

- "Run a full WSTG assessment against https://authorised-target.example.com using credentials admin / P@ssw0rd123"
- "Load the config from configs/my-target.yaml and run the pentest"
- "Run WSTG-INPV-05 SQL Injection test against https://app.example.com/search?q="
- "Test https://app.example.com for CORS misconfiguration (WSTG-CONF-13)"
- "Resume engagement pentest-2026-02-11-myapp from where it stopped"

Troubleshooting Autopentest AI

make setup fails with Docker build errors

Ensure Docker Desktop is running and your user has permission to build images (docker info should work without sudo). On Linux, add your user to the docker group: sudo usermod -aG docker $USER, then log out and back in.

uv sync fails with Python version errors

The server requires Python 3.10. Check your version with python3 --version. If you have multiple Python versions, specify: uv venv --python 3.10 inside the server/ directory before running uv sync.

No findings are reported despite running scans

The anti-hallucination framework requires a confirmed exploit for every finding. Review the task tree for the current phase — the agent may be in a discovery or analysis phase that has not yet produced exploitable results. Allow the full 7-phase workflow to complete.

Frequently Asked Questions about Autopentest AI

What is Autopentest AI?

Autopentest AI is a Model Context Protocol (MCP) server that agentic pentesting mcp server that discovers, exploits, and reports web application vulnerabilities. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Autopentest AI?

Follow the installation instructions on the Autopentest AI GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Autopentest AI?

Autopentest AI works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Autopentest AI free to use?

Yes, Autopentest AI is open source and available under the Apache-2.0 license. You can use it freely in both personal and commercial projects.

Autopentest AI Alternatives — Similar Security Servers

Looking for alternatives to Autopentest AI? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "autopentest-ai": { "command": "npx", "args": ["-y", "autopentest-ai"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Autopentest AI?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides